"Invalid JSON from server" even when Push response contains Vaadin-Refresh

[HermanBovens]

Description of the bug

Our Vaadin 22 application is fronted by an SSO solution. When the session has timed out, the login page is returned as HTML when Vaadin performs a request and expects JSON. That login page contains the string Vaadin-Refresh.

In the past this caused Vaadin to refresh the page, but now the following error is shown:

As you can see, the string Vaadin-Refresh is still present. But we did upgrade from Vaadin 14 to Vaadin 22 and from Spring Boot 1.5.x to 2.5.x not so long ago.

Expected behavior

No error should be shown and the page should be refreshed instead.

Minimal reproducible example

I don't know of any other way to reproduce this than to add a reverse proxy in front of a Vaadin application and make it return an HTML page containing Vaadin-Refresh at some point when Vaadin makes an internal request.

Versions

• Vaadin / Flow version: 22.0.9
• Java version: 1.8
• Application Server (if applicable): Spring Boot 2.5.14

[Legioth]

It might help pinning down the issue if you could also provide information (e.g. request URL and parameters) to identify what type of request this is so that we can understand which part of Vaadin it is that doesn't properly handle the response it receives.

[knoobie]

I had a similar problem and I managed to fix it by using a space after the URL to redirect e.g.

<meta http-equiv="x-v-ref" content="Vaadin-Refresh: https://xxxx/  ">

instead of

<meta http-equiv="x-v-ref" content="Vaadin-Refresh: https://xxxx/">

[HermanBovens]

@Legioth The screenshot is from the user, but I think I found the root cause: I think we enabled Push recently too (or it became the default now?) - at least I see the browser making push requests / having a websocket connection open.

Handling of Vaadin-Refresh is for XHR requests is done in this code in DefaultConnectionStateHandler:

@Override
public void xhrInvalidContent(XhrConnectionError xhrConnectionError) {
    debug("xhrInvalidContent");
    endRequest();

    String responseText = xhrConnectionError.getXhr().getResponseText();
    /*
     * A servlet filter or equivalent may have intercepted the request and
     * served non-UIDL content (for instance, a login page if the session
     * has expired.) If the response contains a magic substring, do a
     * synchronous refresh. See #8241.
     */
    MatchResult refreshToken = RegExp
            .compile(UIDL_REFRESH_TOKEN + "(:\\s*(.*?))?(\\s|$)")
            .exec(responseText);
    if (refreshToken != null) {
        WidgetUtil.redirect(refreshToken.getGroup(2));
    } else {
        handleUnrecoverableCommunicationError(
                "Invalid JSON response from server: " + responseText,
                xhrConnectionError);
    }

}

While there is only a comment "Should likely do the same as xhrInvalidContent" in the method for push requests:

I see this in the code for invalid push responses:

@Override
public void pushInvalidContent(PushConnection pushConnection,
        String message) {
    debug("pushInvalidContent");
    if (pushConnection.isBidirectional()) {
        // We can't be sure that what was pushed was actually a response but
        // at this point it should not really matter, as something is
        // seriously broken.
        endRequest();
    }

    // Do nothing special for now. Should likely do the same as
    // xhrInvalidContent
    handleUnrecoverableCommunicationError(
            "Invalid JSON from server: " + message, null);

}

Note the different error text: since the error in the screenshot starts with "Invalid JSON from server" and not "Invalid JSON response from server", this means that it's indeed a Vaadin Push request. I'll edit the issue title.

[HermanBovens]

I had a similar problem and I managed to fix it by using a space after the URL to redirect e.g.

As you can see in the screenshot, there is no URL (and there is a space). I tried the regex from the code and it matches this content. But it appears to be a Push response and the regex check is not done in that case.

[Legioth]

The push hypothesis makes sense. Thanks for clarifying!

[Artur-]

You can try with 23.3.pushredirect-SNAPSHOT to see if it fixes the problem. Using npx upgrade-vaadin - 23.3.pushredirect-SNAPSHOT if it is a "standard" project or by overriding the flow-bom version otherwise

 <dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>com.vaadin</groupId>
       <artifactId>flow-bom</artifactId>
       <version>23.3.pushredirect-SNAPSHOT</version>
       <type>pom</type>
       <scope>import</scope>
   </dependency>

[vaadin-bot]

This ticket/PR has been released with Vaadin 23.1.13.

[vaadin-bot]

This ticket/PR has been released with Vaadin 23.2.6.

[vaadin-bot]

This ticket/PR has been released with Vaadin 14.9.0.beta1 and is also targeting the upcoming stable 14.9.0 version.